CVE-2024-1440

Description

An open redirection vulnerability exists in multiple WSO2 products due to improper validation of the multi-option URL in the authentication endpoint when multi-option authentication is enabled. A malicious actor can craft a valid link that redirects users to an attacker-controlled site. By exploiting this vulnerability, an attacker may trick users into visiting a malicious page, enabling phishing attacks to harvest sensitive information or perform other harmful actions.

Reserved 2024-02-12 | Published 2025-06-02 | Updated 2025-06-02 | Assigner WSO2

Problem types

CWE-601 URL Redirection to Untrusted Site ('Open Redirect')

Product status

Default status
unaffected

Any version before 5.10.0
unknown

5.10.0 before 5.10.0.278
affected

5.11.0 before 5.11.0.347
affected

6.0.0 before 6.0.0.185
affected

6.1.0 before 6.1.0.145
affected

7.0.0 before 7.0.0.30
affected

Default status
unaffected

Any version before 3.1.0
unknown

3.1.0 before 3.1.0.262
affected

3.2.0 before 3.2.0.344
affected

4.0.0 before 4.0.0.296
affected

Default status
unaffected

Any version before 5.10.0
unknown

5.10.0 before 5.10.0.298
affected

Default status
unaffected

Any version before 2.0.0
unknown

2.0.0 before 2.0.0.308
affected

Default status
unaffected

Any version before 2.0.0
unknown

2.0.0 before 2.0.0.327
affected

Default status
unknown

5.17.5 before 5.17.5.256
affected

5.18.187 before 5.18.187.257
affected

5.23.8 before 5.23.8.174
affected

5.25.92 before 5.25.92.77
affected

7.0.78 before 7.0.78.18
affected

7.0.111
unaffected

References

security.docs.wso2.com/...ty-advisories/2024/WSO2-2024-3171/ vendor-advisory

cve.org (CVE-2024-1440)

nvd.nist.gov (CVE-2024-1440)

Download JSON